A full decade after convergence was hailed as the next big thing, right around the turn of the millennium; this elusive concept is making a comeback. The difference is that we now have a massive infrastructure, a vast audience, and the will to make contact. Indeed 10 years ago, the potential of the Internet to connect people and deliver efficiencies was identified, but the model was unproven and not enough adopters meant an uphill battle for every XML developer, every PDA manufacturer and for eCommerce sites in general.
Fast forward a decade and here we are: the Internet is no longer is danger of collapsing onto itself as previously feared. Online trust is at an all-time high and people are trying to connect to one-another as well as to every imaginable device from treadmills to Web cams to refrigerators. The market demand for new smartphones, productivity and entertainment software, connectivity and social networking tools appears to be insatiable. We have new hosting and delivery platforms to support emerging business models, new development tools to rapidly create more ways to harness content and exchange information. So from the insular computing models of the 70s, to the networked one-to-one communications of the 80s, to the one-to-many, Internet-enabled evolutionary steps we took in the 90s, we’ve gotten ourselves into a situation where many-to-many relationships are the norm, and not all interlocutors are human.
In fact, in today’s hyper connected world, we have trouble distinguishing between automated avatars that leverage knowledge bases to try to provide real-time, online, customer service; and human beings trying to politely steer us towards the answers to our problems. The difference between internet surfers and automated spidering programs or between legitimate software and spyware is impossible to detect. With the advance of convergence, the lines have become blurred. Thanks to newer, simpler, faster programming languages viruses can now jump across platforms, infecting computers and smartphones with impunity in the process. And with the near universal, viral adoption of social networks, control over the private data of individuals is just a memory.
One of the many, many outfits predicting the polymorphic nature of threats in 2010 and beyond is McAfee, who have just released their 2010 Threat Predictions report. In it are all the things I wrote about in my previous blog post, and then some: complex Trojans, botnets, cyberthieves, social networking exploits and all the Internet-borne mischief one can imagine. And just so they’re not accused of spreading FUD, they note that this will be a good year for the fight against cybercrime. The war against Internet-borne evil. Yawn.
At the risk of repeating myself, the truth is that fundamentally, the threats remain the same, and so do the risks. What’s at stake is our information, our identity, our finances and our way of life. These are not issues to be taken lightly, but they represent threats with common attack vectors. Essentially, with all the convergence, complexity and communications that will be taking place over the next decade, the most effective attacks remain those against the weak links:
- Users – they always assume software like McAfee can protect them against the world’s evils. And if it can’t, then they’re not about to become security experts, so they’re always the best place to start an attack. Solution: up-to-date education on security best practices. Seek it from experts, buy the newest books, read the blogs.
- Technology – convergence is great! It is a wonderful opportunity to find more victims on numerous platforms than ever before. And people practically carry their entire lives on their smartphones, so why not try everything from spyware to ransom-ware on these unsuspecting victims? Solution: tighten privacy controls on every application, enable encryption for data at rest and in transit, and for Pete’s sake, stop using Facebook applications! And help others break the cycle of addiction!
- Maintenance – the third and biggest avenue for cybercrime is really, laziness and lax security practices. Systems that haven’t been updated in ages, transactions that are not monitored, data that hasn’t been backed up: all opportunities to wreak havoc in a space where 100 per cent of breaches are preventable. Solution: adopt security maintenance best practices and map them to compliance requirements (enterprises) or simply take a layered approach to security (individual users)
I will not fail to elaborate on each one of these solutions in future blogs, but in the meantime, feel free to discuss these topics, ask questions, and spread the word. The year of the Tiger doesn’t have to be as bad as some say. Best practices, common sense and an ounce of prevention will get everyone through the year unscathed. I guarantee it.
|About the author:|
|Claudiu Popa, CISSP, PMP, CISA, CIPP, CRMP is an information security consultant and CEO of Informatica Corporation (www.InformationSecurityCanada.com). Claudiu helps enterprises to understand and mitigate security risks, anticipate and respond to threats, and implement proper security governance. He is the author of the Canadian Privacy and Data Security Toolkit for SME, published by the CICA. Write to [email protected] simply contribute your comments to this blog|